Cracking the Perimeter is a journey of practical hacking combined with imaginative thinking allowing you to perform complex hacks in order to, yes penetrate / crack the perimeter.

Even within the Web Application Security part I learned something new and during the rest of the course I learned a lot about shellcode, overflows, and everything else mentioned on their website which is a must to know (in hardcore depth) if you want to pass the certification.

I used many hours within the labs where I made sure to learn everything I could and more about the course material.

I don't think anyone will regret doing this course, cause it's probably one of the hardest if not the hardest certification to achieve at the moment ;)

Last edited by MaXe on Tue Aug 17, 2010 10:04 am, edited 1 time in total.

Can you give any required skills/recommended resources to fill in the gaps between the OSCP and OSCE. It was my impression that the OSCE was significantly more advanced, and it wasn't intended to simply be a natural continuation of the OSCP.

I start on the 29th, so I'll be sure to try to fill in the blanks as I go. I haven't done OCSP, so taking on the OCSE was a little intimidating. I finally decided that I had enough interest in the topic to invest the time and enough background to not be wasting my money so I bit the bullet and went for it. I'll post back by mid September and let you know if I think it was a mistake.

If anyone can share some insight (besides what's in the syllabus), please do so. I've already paid, so I'm stuck, but I would like to know about others' experiences.

I made the decision after hearing the same thing as MaXe said echoed by everyone who had taken the course (I won't regret it).

While I've not paid for it, yet (and won't be until my medical situation is squared away and I'm off these darned meds,) this one is on my list, for one of my next certs to do. So by all means, let us know what you think of it, former33t (and any others who challenge the course.)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

The skills I think that are required to do the course only would be:- Web Application Security knowledge. (PHP, MySQL and Apache)-- You should be able to understand how most if not all vulnerabilities within PHP works.-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html-- Have a good understanding of how the HTTP protocol works.

- Shellcode and Assembly Instructions / Opcodes-- You should be able to write simple shellcode or be ready to become dedicated to write your own shellcode.-- If you're not a shellcode "writer" you should be ready to manually write it yourself.(Metasploit can't always help you in cases where you must use advanced methods.)

- Generic knowledge about networks and other protocols-- You should know how the TCP/IP (and UDP) protocols function though you don't have to be an engineer.-- Have a basic understanding of spoofing and man-in-the-middle attacks.

Note: Knowing a scripting language such as Python, Perl or perhaps PHP (CLI) is a good idea too.

You should also have a lot of patience, the will to learn new topics (in-depth, don't avoid any of the exercises) and have a lot of time you can use in the labs to study the course material and the following exercises.

If you choose 30 days it may be some very intensive 30 days, and if you choose 60 days then you should be able to have spare time in between. (I did this course after work in case you wonder.)

About the examination, well I won't disclose too many details on that. But everything covered in the course is only the beginning and you should therefore dedicate a lot of time to learn Web Application Security and Software Exploitation / Security in-depth. (This includes self-written (custom) optimized shellcode and a lot more!)

One shouldn't be intimidated by these facts, because it is one of the greatest journeys I've ever taken and I believe it really is one of the toughest if not the toughest certification at this date. If you have this certification, then I know you're above average within IT-security / Hacking

@former33t: I haven't done the PWB Course neither the OSCP examination, but it is possible to do and understand the CTP course if you have a good understanding about IT-security / Hacking. You won't regret this course ;-)

I am challenging OSCP tomorrow morning and IF everything goes well, OSCE would probably be the next one.

The skills I think that are required to do the course only would be:- Web Application Security knowledge. (PHP, MySQL and Apache)-- You should be able to understand how most if not all vulnerabilities within PHP works.-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html-- Have a good understanding of how the HTTP protocol works.

I am also looking at a very good web app pentest course. Would you consider OSCE to cover web app exploit in depth?

I got through their registration challenge quickly, but I really don't want to give me a false sense of where I stand in terms of the course content. I'm solid on the networking side of things, decent with the web stuff, but I am completely lacking on shellcoding/exploit development side of things.

I am challenging OSCP tomorrow morning and IF everything goes well, OSCE would probably be the next one.

The skills I think that are required to do the course only would be:- Web Application Security knowledge. (PHP, MySQL and Apache)-- You should be able to understand how most if not all vulnerabilities within PHP works.-- Here's a good "article" to read: http://forum.intern0t.net/offensive-gui ... irgod.html-- Have a good understanding of how the HTTP protocol works.

I am also looking at a very good web app pentest course. Would you consider OSCE to cover web app exploit in depth?

Thanks and good luck!

The CTP course will give you some ideas about Web Application Security in-depth and the examination will prove that point, but it does not cover everything there is and you should have a very good base either from another certification or by self-study.

I don't know of any certifications within Web App Sec that are worth doing but I'll be glad to hear of any ;)

dynamik wrote:Thanks for the feedback, MaXe.

I got through their registration challenge quickly, but I really don't want to give me a false sense of where I stand in terms of the course content. I'm solid on the networking side of things, decent with the web stuff, but I am completely lacking on shellcoding/exploit development side of things.

Sounds good, but you should focus on learning more about Exploit Development then and of course Shellcoding even though most of this is covered within the course quite well (don't forget to use the forums too). I can't say that you'll know everything about exploit development after the CTP course, cause you won't but you'll have a better understanding especially if you've played with a few simple Stack Overflows in the past

Note: Nothing within the CTP course and the OSCE examination is impossible to do, but it is quite hard. (Especially the exam.)

Last edited by MaXe on Fri Aug 20, 2010 9:55 am, edited 1 time in total.

@dynamikNothing related to this thread, but just wanted to tell you that if you ever start learning from shellcoder's handbook use an old distro for the first 4-5 chapters. Preferably Redhat Linux 8 and above.The examples used in these chapters assume that you've absolutely no protection enabled in your system- NX bits, ASLR... Even Redhat Linux 9 uses ASLR, built in the kernel and can't be disabled, and so you won't be able to use it for a LOT of exploits.Majority of these protections can be disabled in the current distributions but there are still hidden elements which prevent your code from working properly. I learned all of this the hard way

It's still fun to first test your code in an old distro and then try to make it work in the newer ones